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Security Module with Volatile Memory 
for Storing an Algorithm Code 

10 Cross-Reference to Related Application : 

This application is a continuation of copending Interna- 
tional Application No, PCT/EP02/00733, filed January 24, 
2002, which designated the United States and was not pub- 
lished in English. 

15 

BACKGROUND OF THE INVENTION 

1 - Field of the Invention: 

20 The present invention relates to security modules, as em- 
ployed for example for pay TV applications, credit cards, 
telephone cards or as TPM plug- in cards, and refers in par- 
ticular to securing the algorithm code that is employed for 
the communication between security module and terminal 

25 against external attacks. 

2 . Description of the related art: 

With the increasing advent of cashless payment traffic and 
30 the increasing information- technological networking as far 
as into individual households, such as e.g. in case of pay 
TV applications, there is an increasing demand for crypto- 
graphic algorithms in order to be able to perform digital 
signatures, authentications and encryption tasks. Known 
35 cryptographic algorithms comprise asymmetric encryption al- 
gorithms, such as e.g. the RSA algorithm, symmetric encryp- 
tion processes, such as e.g. the DSE process, as well as 
processes based on elliptic curves. 
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5 In order to be able top perform the computations prescribed 
by the cryptographic algorithms in everyday life with an 
acceptable speed on the one hand and in as convenient man- 
ner for the user as possible on the other hand, chip cards, 
such as smart cards or signature cards, are employed com- 

10 prising an individually provided cryptographic processor 
for implementing the cryptographic algorithm. Depending on 
the particular application or use, the cryptographic proc- 
essor must be capable of performing authentications, signa- 
tures, certifications and encryptions or decryptions in ac- 

15 cordance with different cryptographic algorithms. In addi- 
tion to implementation of the cryptographic algorithms, the 
chip card contains stored, chip card- specif ic information, 
such as a secret key and, in case of a credit card, the 
credit card number, the account number and the balance and, 

2 0 in case of a pay TV smart card, a smart card ID, a customer 
ID and other customer- specif ic information. A chip card en- 
ables the user of • the chip card to carry out certain trans- 
actions, such as e.g. debiting, on specifically provided 
terminals or other end apparatus, such as pay TV decoders, 

2 5 in simple and efficient manner. In this regard, the crypto- 
graphic algorithms implemented on the chip card provide for 
protection of the chip card traffic against criminal ma- 
nipulations . 

30 For protecting chip card terminal systems against criminal 
manipulations, specific protocols are employed between ter- 
minal and chip card, comprising e.g. mutual authentication 
as well as encryption and decryption operations making use 
of the cryptographic algorithms implemented in the crypto- 

35 graphic processor. A problem with conventional chip cards 
consists in that the algorithms used for the secret func- 
tions, e.g. for encryption, are fixedly provided on the 
chip card in the form of a fixed wiring and/or in stored 
form and thus are susceptible to being spied out by poten- 

4 0 tial attackers. Spying out of cryptographic algorithms im- 
plemented in chip cards by an attacker comprises, for exam- 
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5 pie, the chemical removal of the circuit structure of the 
cryptographic processor and the optical analysis of the ex- 
posed semiconductor structures. If an attacker, by way of 
the chip card in his possession, succeeds in obtaining the 
cryptographic algorithm implemented therein, the attacker 

10 will be in the position, due to his knowledge of the cryp- 
tographic algorithm and thus by the possibility of imple- 
menting the same, to carry out certain attacks against the 
chip card in order to obtain the secret data, such as the 
secret key or other data of crucial security of the chip 

15 card. When the underlying cryptographic algorithm is known, 
the attacks have a by far greater chance of success, and 
consequently the security chain of the chip card traffic is 
at risk. 

20 With conventional chip cards, the problem of spying out is 
counteracted merely by specific hardware processes or tech- 
nologies, such as by the hidden contact process. In case of 
this process, attempts are made to prevent the optical 
analysis of removed semiconductor structures and thus a 

25 conclusion to the underlying electronic circuit by means of 
hidden contacts and by the use of specific layout libraries 
for the underlying gates, in which different gates, such as 
AND gates and OR gates, differ from each other merely by 
different doping. These hardware concealing measures indeed 

30 increase the expenditure for finding out the underlying 
cryptographic algorithms for the potential attacker, but on 
the other hand increase also the circuitry and design ex- 
penditure, the chip area and thus the costs of the crypto- 
graphic processor and the chip card, respectively. 

35 

A chip card with increased security against foreign attacks 
and reduced circuit expenditure is very attractive for chip 
card manufacturers in particular with regard to the high 
market potential and the large numbers of pieces in which 
4 0 chip cards are produced. 
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5 SUMMARY OF THE INVENTION 

It is the object of the present invention to make available 
a security module, a terminal and a process such that secu- 
rity module traffic with a higher level of security may be 
10 ensured. 



In accordance with a first aspect of the invention, this 
15 aspect is achieved by a security module for use with a ter- 
minal, comprising a data interface adapted to be coupled to 
a terminal, for receiving at least part of an algorithm 
code or of the complete algorithm code from the terminal, 
with the algorithm code concerning a processing of secrets, 
20 an energy interface for receiving supply energy from the 
terminal; a volatile memory for storing the part of the 
algorithm code or -the complete algorithm code received via 
the data interface, said volatile memory being coupled to 
the energy interface in order to have energy supplied 
25 thereto such that the same will be cleared upon an inter- 
ruption of the receipt of the supply energy from the termi- 
nal; and a processor for performing the algorithm code in 
order to obtain an algorithm code result that can be deliv- 
ered to the terminal. 

30 

In accordance with a second aspect of the invention, this 
aspect is achieved by a terminal for use with a security 
module, comprising: a data interface adapted to be coupled 
to the security module, for transmitting at least part of 

35 an algorithm code or the complete algorithm code from the 
terminal to a volatile memory of the security module and 
for receiving the algorithm code result from the security 
module, with the algorithm code concerning a processing of 
secrets; and an energy interface for delivering supply en- 

4 0 ergy to the security module, with the volatile memory being 
supplied by the supply energy, such that the same will be 
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5 cleared upon an interruption of the receipt of the supply 
energy from the terminal, with the terminal, for each com- 
munication operation between terminal and security module 
during one and the same communication operation with the 
security module, being designated to send at least the part 
10 of the algorithm code or the complete algorithm code to the 
volatile memory of the security module; and, subsequently, 
during the further communication process, receive the algo- 
rithm code result from the security module. 

15 In accordance with a third aspect of the invention, this 
aspect is achieved by a process for computing an algorithm 
code result using a security module, comprising the steps 
of: receiving at least part of an algorithm code or the 
complete algorithm code by means of an energy interface, 

2 0 with the algorithm code concerning a processing of secrets; 
volatile-storing said part of the algorithm code or said 
complete algorithm code in a volatile memory of the secu- 
rity module, with the volatile memory being coupled to the 
energy interface, to be supplied with energy, such that the 

25 same will be cleared upon an interruption of the receipt of 
the supply energy from the terminal: performing said algo- 
rithm code on the security module in order to obtain an al- 
gorithm code result; delivering said algorithm code result 
to the terminal; and clearing said volatile memory upon an 

30 interruption of the receipt of the supply energy from the 
terminal . 

In accordance with a fourth aspect of the invention, this 
aspect is achieved by a process for controlling a security 

35 module using a terminal in order to obtain an algorithm 
code result from the security module, with the process com- 
prising for each communication operation, performing the 
following steps during one and the same communication op- 
eration with the security module: delivering supply energy 

4 0 from the terminal to the security module; transmitting at 
least part of an algorithm code or the complete algorithm 
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5 code from the terminal to a volatile memory of the security 
module; with the algorithm code concerning a processing of 
secrets, with the volatile memory being supplied by the 
supply energy, such that the same will be cleared upon an 
interruption of the receipt of the supply energy from the 
10 terminal; and receiving the algorithm code result from the 
security module. 

In accordance with a fifth aspect of the invention, this 
aspect is achieved by a process for communication between a 

15 security module and a terminal, comprising the steps of: 
transferring at least part of an algorithm code or the 
complete algorithm code from the terminal to the security 
module, with the algorithm code concerning a processing of 
secrets; volatile-storing said part of the algorithm code 

20 or said complete algorithm code in a volatile memory of the 
security module, with the volatile memory being supplied by 
the supply energy,- such that the same will be cleared upon 
interruption of the receipt of the supply energy from the 
terminal; performing said algorithm code on the security 

2 5 module in order to obtain an algorithm code result; deliv- 
ering said algorithm code result to the terminal; and 
clearing said volatile memory upon an interruption of the 
receipt of the supply energy from the terminal . 

30 The present invention is based on the finding that the se- 
curity of a security module, such as e.g. a chip card, 
against foreign attacks may be enhanced in that at least 
part of the algorithm code is not fixedly stored on the se- 
curity module, but rather that this missing part of the al- 

35 gorithm code is stored in a volatile memory of the security 
module during communication between the terminal and the 
security module only, with the algorithm code comprising 
functions of crucial security, such as debiting functions, 
or cryptographic algorithms or concerning the processing of 

4 0 secrets in general. It is thus effectively prevented that 
the complete algorithm code is provided on a security mod- 
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5 ule in the power of a potential attacker, and consequently 
it will become impossible for the potential attacker to ac- 
cess the algorithm code in order to spy out secret keys or 
other secret data, and to run or perform the same in accor- 
dance with specific attack processes, using e.g. fault at- 

10 tacks or information leakage attacks. In other words, it 
will be made nearly impossible to a potential attacker to 
utilize the algorithm code, such as an encryption algo- 
rithm, in abusive manner since this code is not permanently 
stored on the security module in complete form and thus, 

15 outside the utilization at a corresponding terminal, is not 
in the possession of the attacker. 

According to the invention, a security module, such as a 
chip card, comprises a TPM (Trusted Platform Module) in the 

20 form of a computer plug- in module or a smart card, for use 
with a terminal in addition to a data interface adapted to 
be coupled to the terminal and receiving from the terminal 
at least part of the algorithm code or the complete algo- 
rithm code, an energy interface receiving supply energy, as 

2 5 well as a volatile memory for storing the part of the algo- 
rithm code received via the data interface or of the com- 
plete algorithm code received, with the volatile memory be- 
ing coupled to the energy interface in order to have energy 
supplied thereto. A processor performs the algorithm code 

30 in order to obtain an algorithm code result that can be de- 
livered to the terminal. The not received remainder of the 
algorithm code may be stored, for example, in a non- 
volatile memory, such as a ROM, of the security module. If 
there is not sufficient supply energy present, there is 

35 thus no complete algorithm code contained in the non- 
volatile memory of the security module, and consequently 
there is no complete algorithm code available to be run by 
a potential attacker. 

40 A terminal suitable for use with the security module de- 
scribed hereinbefore, such as e.g. an automatic cash dis- 
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5 penser, a mobile telephone with card reader, a pay TV de- 
coder or a computer having a plug- in place for a TPM, com- 
prises for example a data interface that is adapted to be 
coupled to the security module and transmits the part of 
the algorithm code or the complete algorithm code from the 
10 terminal to the volatile memory of the security module and 
receives the algorithm code result from the security mod- 
ule, as well as an energy interface delivering the supply 
energy to the security module. 

15 According to a specific embodiment, an authentication, such 
as an authentication according to the challenge and re- 
sponse scheme, is carried out between the terminal and the 
security module during a communication between terminal and 
security module. The transfer of the algorithm code from 

2 0 the terminal to the security module is carried out in en- 
crypted and certified form in order to counteract eaves- 
dropping and manipulation of the communication connection 
between terminal and security module . The terminal or the 
security module to this end contains suitable means for 

25 performing authentication, encryption and decryption as 
well as certification and certification examination, re- 
spectively. For increased security and for effectively pre- 
venting access of a potential attacker to the transferred 
part of the algorithm code, the security module may have in 

30 addition a monitoring means which, if predetermined secu- 
rity conditions are fulfilled, clears the volatile memory. 
Such security conditions may comprise the interruption, an 
irregularity and a fluctuation in the supply voltage and/or 
the processor or system clock or other operating parameters 

35 as they may be effected by manipulation of the security 
module while the latter interacts with the terminal. In the 
event that the monitoring means has not effected prelimi- 
nary clearing of the memory, the volatile memory and thus 
the part stored of the algorithm code is cleared at the 

4 0 latest upon termination of the communication between termi- 
nal and security module or upon interruption of the supply 
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5 energy, respectively, such as e.g. by withdrawal or removal 
of the security module from the terminal, whereby this part 
of the algorithm code is no longer available to a potential 
attacker for performing in the scope of specific attacks. 

10 In order to further reduce the attackability of the system, 
it may be provided to transfer the part of the algorithm 
code from the terminal to the security module intermit- 
tently in modified form and repeatedly and, in doing so, to 
store each time the newly transferred, altered part of the 

15 algorithm code in the volatile memory instead of the old 
stored part of the algorithm code. This renders possible 
changes in a cryptographic algorithm during the communica- 
tion between terminal and security module, such as e.g. in 
case of pay TV applications, but also changes in the algo- 

2 0 rithm code each time upon initialization of a terminal - 
security module communication, such as e.g. in case of 
credit cards, whereby it is further aggravated for a poten- 
tial attacker to adjust to, or find out, the algorithm code 
employed. 

25 

In addition to protecting the algorithm code of the secu- 
rity module against spying out by a potential attacker, an 
additional advantage of the present invention consists in 
that it is applicable to a multiplicity of application 

30 fields, such as e.g. EC cards, credit cards, multi- 
application cards or pay TV smart cards. Depending on the 
particular application, the algorithm code or security 
function code received by the security module contains 
parts of a code for functions of crucial security or one or 

35 more cryptographic algorithms of the security module. For 
chip card producers or producers of security modules, the 
versatile applicability as well as the enhanced security 
against potential attacks means increased acceptance in the 
market and thus an increased market share. In addition 

4 0 thereto, the security of the security module is increased 
in inexpensive manner as the increased security is achieved 



S&ZIO020101 



10 



5 by software loading of the volatile memory. The conven- 
tional and complex hardware measures for protecting the al- 
gorithm code against potential attackers, as described 
hereinbefore, may either be carried out in addition or be 
replaced by less expensive hardware techniques since the 
10 functions of crucial security or the underlying crypto- 
graphic algorithm of the security module are not perma- 
nently provided on the chip card. 

Further developments and further alternative embodiments of 
15 the present invention are defined in the attached dependent 
claims . 

BRIEF DESCRIPTION OF THE DRAWINGS 

2 0 Preferred embodiments of the present invention will be elu- 
cidated in detail hereinafter with reference to the accom- 
panying drawings in which 

Fig. 1 shows a schematic diagram illustrating the se- 
2 5 quence of operations during communication of a 

chip card with a terminal according to the pre- 
sent invention; 

Fig. 2 shows a block diagram of a chip card structure 
30 according to an embodiment of the present inven- 

tion; and 

Fig. 3 shows a terminal construction according to an em- 
bodiment of the present invention. 



35 



Detailed Description of the Preferred Embodiments 



It is pointed out that the following detailed description 
of specific embodiments of the present invention refers to 
4 0 chip card applications by way of example only, and that the 
present invention is also applicable to other security mod- 
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5 ules, such as TPMs in the form of plug- in cards; the fol- 
lowing description may easily be transferred to such appli- 
cations. Accordingly, the following description also refers 
to terminals for chip cards, such as e.g. cash dispensing 
machines, by way of example only, although a terminal ac- 

10 cording to the present invention, in other fields of appli- 
cation, may also be a computer, for example, having a TPM 
in the plug- in spaces thereof, or a mobile telephone with a 
smart card in the card reader thereof, or the terminal may 
generally be an arbitrary apparatus capable of communicat- 

15 ing with the security module. 

Reference is made first to Fig. 1, illustrating the se- 
quence of operations during communication between a termi- 
nal and a chip card, as it results for example when a chip 
20 card is introduced into a terminal. In case of chargeable 
radio broadcasting, the chip card may be, for example, a 
pay TV smart card and the terminal may be the respective 
end apparatus or decoder of a pay TV customer. In the event 
the chip card is a credit card, the terminal is a cash dis- 

2 5 pensing machine, for example. 

Fig. 1 illustrates the chip card 10 and the terminal 20 be- 
side each other in the form of rectangles with rounded cor- 
ners. Underneath the same, the various steps carried out 
30 during communication or interaction of the chip card 10 
with the terminal 20 are shown schematically by arrows and 
blocks in downward direction in the sequence of their oc- 
currence. The directions of the arrows indicate the direc- 
tions of the data flows in which the data are transmitted, 

3 5 whereas the blocks represent measures performed in the chip 

card 10. 

The steps illustrated in Fig. 1 have the prerequisite that 
a communication is already possible between the terminal 

4 0 and the chip card which, for example, may be the case upon 

introduction of the chip card into the terminal; in this 
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5 regard, the terminal 2 0 may be a contactless or contact 
terminal, and the communication connection thus may take 
place without contact or via a contact. It is necessary 
furthermore for communication that chip card 10 be supplied 
with energy from terminal 20, which may also be carried out 

10 in contactless manner via electromagnetic radiation or via 
a contact. After the communication connection between ter- 
minal 20 and chip chard 10 has been established and supply 
energy has been supplied to chip card 10, initializing 
steps may be carried out first, such as e.g. the mutual 

15 agreement on the relevant protocol etc. 

After the steps (not shown) of supplying energy to the chip 
card 10, establishing the communication connection as well 
as initializing the communication between terminal 20 and 

20 chip card 10, mutual authentication between terminal 20 and 
chip card 10 is carried out in a step 30, e.g. an authenti- 
cation in accordance with the challenge and response proc- 
ess. The mutual authentication may comprise, for example, 
the inputting of a PIN (Personal Identification Number) by 

25 the card user, in which the mutual authentication 3 0 makes 
use, for example, of chip card- specif ic data stored on the 
chip card 10, such as e.g. a chip card identification num- 
ber and a personal identification number, in connection 
with a chip card key stored on the chip card as well as an 

30 authentication code stored on the chip card and represent- 
ing a cryptographic algorithm, such as e.g. a symmetric or 
an asymmetric cryptographic algorithm. The authentication 
serves to make sure that only admitted chip cards may com- 
municate with admitted terminals. If the authentication 

35 yields an error, the communication connection is termi- 
nated. 

Upon successful mutual authentication 30, the terminal 20 
in a step 4 0 transmits part of the algorithm code to the 
4 0 chip card 10 in encrypted and certified form. The encryp- 
tion of the transferred part of the algorithm code protects 
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5 the transmission against eavesdropping by a potential at- 
tacker, while the certification in the terminal 20 of the 
chip card 10 is to provide a guarantee as to the origin of 
the transferred part of the algorithm code. For decryption 
of the transferred part of the algorithm code and for exam- 

10 ining the certificate as well as for performing the mutual 
authentication 30, the chip card 10 comprises suitable au- 
thentication, decryption and certificate examining means 
which are constituted by part of the hardware and by codes 
stored in a non-volatile memory of the chip card, such as 

15 e.g. the authentication code. The cryptographic algorithms 
underlying said mutual authentication 3 0 and said encryp- 
tion and certification 4 0 may comprise symmetric or asym- 
metric cryptographic processes, such as e.g. the RSA or the 
DES algorithm or an arbitrary other cryptographic algo- 

2 0 rithm. 

In case the certificate examination reveals that the cer- 
tificate lacks genuineness, the communication between ter- 
minal 2 0 and chip card 10 is interrupted, and there may be 

25 provisions made that the chip card 10 does not longer carry 
out processings for a predetermined period of time. It is 
thus avoided that a potential attacker taps the communica- 
tion connection between terminal 20 and chip card 10 and 
enters a "false" code to the volatile memory of the chip 

30 card 10 which, upon performing by the chip card 10, could 
effect the outputting of secret data stored on chip card 
10, for example. 

If the certificate examination revealed the genuineness of 
35 the certificate, the transferred part of the algorithm code 
is then stored, in a step 50, in a volatile memory of chip 
card 10 either in encrypted or in decrypted form. Depending 
on encrypted or decrypted storage, the algorithm code is 
decrypted before storage thereof or before performing by a 
40 cryptographic processor on chip card 10. The algorithm code 
having a part thereof transferred in step 4 0 may comprise 
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5 the program code of one or a plurality of functions of cru- 
cial security of the chip card 10, such as e.g. a debiting 
or crediting function for charging or discharging the chip 
card 10 , or the program code for performing a cryptographic 
algorithm necessary during the further communication se- 

10 quence, such as e.g. a symmetric or asymmetric crypto- 
graphic process, an RSA algorithm, encryption according to 
the DES standard, an elliptic curve process or another se- 
cret algorithm, however without restriction to these exam- 
ples. In the event of a pay TV application, the algorithm 

15 code comprises, for example, information with respect to 
decryption of the television data of a chargeable program, 
such as e.g. the repermutation of the image lines of an im- 
age of the television data. Consequently, the algorithm 
code to be protected is present in complete form on chip 

20 card 10 only during the time of execution of the communica- 
tion between terminal 20 and chip card 10. 

In a step 60, the algorithm code now contained in complete 
form on chip card 10 is utilized and performed by a proces- 

25 sor provided on the chip card 10. In the afore-mentioned 
pay TV example, the processor of chip card 10 performs, for 
example, the repermutation of the image lines of the tele- 
vision images by way of the algorithm code stored. In a 
debit application of the chip card 10, such as e.g. with 

30 telephone cards, the algorithm code indicating a debiting 
or crediting function is used for example for crediting or 
debiting a balance provided on the chip card 10. With 
credit card applications, step 60 comprises for example the 
performing of the algorithm code indicating a cryptographic 

35 algorithm by means of a cryptographic processor of chip 
card 10 in order to place money transfer orders, for exam- 
ple . 

In a step 70, the part of the algorithm code stored in the 
4 0 volatile memory is cleared again. Clearing of the algorithm 
code may be effected, for example, by taking out the chip 
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5 card 10 from terminal 10 by the card user and by thus in- 
terrupting the delivery of supply energy from terminal 2 0 
to chip card 10. For preventing attempts of potential at- 
tackers to protect the volatile memory, e.g. a RAM, against 
loss of the stored part of the algorithm code, whereby 

10 these would come into possession of the complete algorithm 
code, the chip card 10 may have a specific monitoring means 
provided thereon which effects active clearing of the vola- 
tile memory of the chip card 10 also if a monitoring opera- 
tion reveals that specific security conditions are ful- 

15 filled, such as interruption of the system clock, the in- 
terruption of the delivery of supply energy or other indi- 
cations for a possible attack, such as voltage fluctuations 
or the like. Consequently, the algorithm code, after utili- 
zation of the chip card 10 in the terminal 2 0 or interfer- 

20 ence with the communication sequence, is no longer present 
on chip card 10 and thus is no longer exposed either to po- 
tential attacks and spying out by potential attackers.- An 
attacker in possession of the chip card cannot carry out 
security computations on the basis of the complete algo- 

2 5 rithm code since the latter is not completely in the range 
of access of the attacker. The spying out of keys or algo- 
rithms is thus effectively prevented. 

After the sequence of operations during communication of a 
30 chip card with a terminal has been described with reference 
to Fig. 1, various possibilities will be described first 
hereinafter as to which parts of an algorithm code are 
transferred from the terminal to the volatile memory of the 
chip card. In the event that the algorithm code contains 
35 the program code of a secret, not yet known cryptographic 
algorithm, it may be advantageous for example to completely 
transfer the algorithm code from the terminal to the vola- 
tile memory of the chip card, whereby this secret crypto- 
graphic algorithm would be effectively protected against 
4 0 spying out by a potential attacker. 
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5 In the event that the part transmitted or transferred of 
the algorithm code contains part of a program code of a 
known cryptographic algorithm, the transferred part of the 
program code comprises, for example, memory addresses in 
which the computation components underlying the cryptologic 

10 computation are stored, thereby effectively preventing that 
a potential attacker in possession of the chip card can 
perform the security computations based on this crypto- 
graphic algorithm, since the required memory addresses for 
performing the program code and for performing the memory 

15 accessing operations by the processor of the chip card, 
which are necessary therefor, are missing. 

In the event of a known cryptographic algorithm, the trans- 
ferred part of the algorithm code may contain jump ad- 

2 0 dresses pointing either as a start address to the beginning 
of a specific program code or as conditional or uncondi- 
tional program jumps to the beginnings of specific partial 
routines. Without knowing these jump addresses, it is ren- 
dered very difficult for an attacker to spy out the chip 

2 5 card in his possession. 

In a specific example, a plurality of program codes for 
various cryptographic algorithms may be provided on the 
chip card 10, with the transferred part of the algorithm 

30 code containing a start address of a specific one of the 
various cryptographic algorithm program codes that has just 
been selected by the terminal. The terminal selects, for 
example, for each new chip card terminal communication op- 
eration a new cryptographic algorithm from the plurality of 

35 cryptographic algorithms, or the selection is carried out 
anew dynamically several times during a communication op- 
eration in order to dynamically alter the cryptographic al- 
gorithm selected. 

4 0 It may be provided furthermore that the transferred part of 
the algorithm code contains start addresses, jump addresses 
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5 or memory addresses of a program code that is necessary for 
debiting or crediting or for other functions of crucial se- 
curity of the chip card. It is possible, furthermore, that 
steps 40, 50 and 60 illustrated in Fig. 1 are repeated, 
with the transferred part of the algorithm code being al- 
io tered in a predetermined way. In each pass, the old part of 
the algorithm code stored in the volatile memory of the 
chip card is written over with the new transferred part of 
the algorithm code, which then is performed or run by the 
processor of the chip card. By way of this dynamic modifi- 
15 cation of the part of the algorithm code stored in the 
volatile memory, there is additional security obtained. 

With reference to Fig. 2 and Fig. 3, possible embodiments 
for the construction of a chip card and a terminal, respec- 

2 0 tively, will be described hereinafter. Fig. 2 shows a block 
diagram of a chip card generally designated 100. Chip card 
100 comprises a data interface 110, an energy interface 
120, a RAM 130, a processor 140 and a ROM 150. The data in- 
terface 110 is adapted to be coupled to a terminal (not 

25 shown) for example via a contactless coupling or via a con- 
tact and is capable of transmitting data from the chip card 
to the terminal and, vice versa, of receiving data from the 
terminal. The data interface 110 is connected to processor 
14 0 whereby the data to be transmitted and received can be 

30 transmitted to and from processor 140, respectively. The 
energy interface 12 0 is adapted to be coupled to the termi- 
nal as well in order to obtain from the terminal supply en- 
ergy in the form of, for example, electromagnetic energy or 
a supply voltage. Energy interface 120 distributes the sup- 

35 ply energy to the processor 140 and the RAM 130. 

Processor 14 0 consists, for example, of a CPU (not shown) 
and a plurality of crypto coprocessors (not shown) that are 
controlled by the CPU and are designed for performing spe- 
4 0 cific computations necessary for the one or more crypto- 
graphic algorithms implemented in chip card 100, such as 
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5 e.g. modular or arithmetic computations. In addition to 
control of the crypto coprocessors, the CPU carries out the 
communication with the terminal via data interface 110 as 
well as memory accessing operations to ROM 150 connected to 
processor 140. The ROM 150 contains, for example, chip card 
10 specific information, e.g. a chip card identification num- 
ber, a personal identification number, an account number, a 
balance or the like. 

The CPU of processor 140 takes over the tasks for initial - 

15 izing a communication of a terminal with the chip card 100, 
for authentication as well as for decryption and certifi- 
cate examination upon receipt of the part of the algorithm 
code transferred according to the invention; a program code 
necessary therefor may be stored in ROM 150. For performing 

2 0 the further communication with the terminal, e.g. for per- 
forming security-specific functions, such as the withdrawal 
of a balance stored in ROM 15 0, or a cryptographic algo- 
rithm for carrying out an account crediting/debiting trans- 
action, the CPU of processor 140 is program- controlled by a 

2 5 program code which, during communication of the chip card 
100 with the terminal, according to the invention, is at 
least in part present in RAM 13 0 connected to processor 
14 0, whereas it is otherwise not present at all or just in 
part in ROM 150 on the chip card 100. Consequently, a po- 

30 tential attacker in possession of the chip card 100, as de- 
scribed hereinbefore, cannot carry out the security compu- 
tations by way of processor 14 0, since parts of the algo- 
rithm code are missing and are stored in volatile memory 
13 0 only upon communication of the chip card with the ter- 

35 minal . 

Fig. 3 shows a block diagram illustrating the terminal con- 
struction in accordance with an embodiment of the present 
invention. The terminal, generally designated 200, com- 
4 0 prises a data interface 210, an energy interface 22 0, a 
processor 23 0 connected to data interface 210 and energy 
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5 interface 220, as well as a memory 240 connected to proces- 
sor 230. The data interface 210 is adapted to be coupled to 
the data interface of a corresponding chip card in order to 
carry out a data exchange between the terminal 2 00 and the 
chip card (not shown) . The energy interface 22 0 is also 

10 adapted to be coupled to an energy interface of the par- 
ticular chip card in order to deliver supply energy 
thereto. Processor 23 0 controls, for example, the sequence 
of operations during communication of terminal 200 with the 
chip card and performs, for example, the initialization, 

15 authentication, the encryption of the algorithm code to be 
transferred, which is stored in memory 240, the certifica- 
tion thereof as well as the transfer of the encrypted and 
certified algorithm code to the data interface 210 for 
transfer thereof to the chip card. 

20 

It is to be pointed out that memory 24 0 may already contain 
the algorithm code, for example, in encrypted form, so that 
the processor 23 0 need not encrypt the said code and the 
same is not present in uncoded text, neither in the memory 
2 5 24 0 nor elsewhere. 

With respect to the preceding description, it is pointed 
out that the same has referred to specific embodiments 
only. The mutual authentication and the encryption of the 

30 part transferred of the algorithm code as well as the cer- 
tification may be omitted in specific applications, for ex- 
ample. Due to the very measure according to the invention, 
that at least part of the algorithm code is stored in a 
volatile memory of the chip card, it is rendered very dif- 

35 ficult for a potential attacker to perform functions of 
crucial security of the chip card, such as e.g. encryption 
algorithms and access functions to chip card specific in- 
formation, such as a balance etc., since these are not per- 
manently stored on the chip card and thus are not in the 

4 0 possession of the potential attacker, but rather are lost 
if supply energy is no longer received. The attempt of pro- 
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5 tecting the volatile memory against loss of this function 
turns out to be very difficult and may be deemed to be not 
realizable in practical application. 

It is pointed out furthermore that the processes according 
10 to the invention, the terminal according to the invention 
as well as the chip card according to the invention may be 
implemented in a variety of ways. The corresponding steps 
or means may be implemented by way of software, firmware or 
hardware in conjunction with non-volatile memories. In ad- 
15 dition thereto, the term chip card, as utilized hereinbe- 
fore, should not be restricted to the form of a card, but 
rather is to comprise also all other forms of chip carriers 
used in similar manner. 

2 0 A current possibility of realization of the present inven- 
tion consists, for example, in the processor of product 
family SLE66CX3 2 0P -of the company Infineon AG, which by way 
of an MMU (MMU = Memory Management Unit) renders possible 
to run a code stored in a RAM in that it controls memory 

2 5 access operations to the RAM. In the simplest case, already 
the transfer of encrypted jump addresses or memory ad- 
dresses from the terminal to the chip card would effec- 
tively prevent that a "native code 1 ' or machine code can be 
loaded by a potential attacker. Already with such a simple 

30 realization of the present invention, an attacker would not 
be able to perform the security computations in the chip 
card, since the jump addresses and thus the sequences would 
be unknown. This idea may be imparted to a customer of such 
a component by drafting an application note, thereby in- 

35 creasing the security of the application with corresponding 
realization thereof in the controller software of the chip 
card and in the terminal software . 

Potential attackers in possession of a chip card according 
4 0 to the invention just have the protected data, but they can 
neither initiate an accounting operation nor exactly deter- 
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5 mine the algorithm code. In combination with secured termi- 
nals and intelligent access protection mechanisms with re- 
spect to the reloadability of program parts, the present 
invention thus achieves a very high level of security. 



10 



